Too many dependencies :( about util.promisify HOT 9 CLOSED

I’m not sure why dependency count matters; Object.getOwnPropertyDescriptors in particular isn’t something that can be removed.

from util.promisify.

My current motivation is reducing dependencies that I have to manually audit for my production application.

Here is an extract from my production application

[email protected] /home/raynos/optoolco/logs
├── @optoolco/[email protected]
├── @optoolco/[email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ └─┬ [email protected]
│   ├── [email protected] deduped
│   ├─┬ [email protected]
│   │ ├─┬ [email protected]
│   │ │ └── [email protected]
│   │ └─┬ [email protected]
│   │   ├── [email protected] deduped
│   │   └─┬ [email protected]
│   │     ├─┬ [email protected]
│   │     │ ├── [email protected] deduped
│   │     │ ├── [email protected]
│   │     │ └─┬ [email protected]
│   │     │   └── [email protected] deduped
│   │     ├── [email protected]
│   │     ├─┬ [email protected]
│   │     │ └── [email protected] deduped
│   │     ├── [email protected]
│   │     ├── [email protected]
│   │     ├─┬ [email protected]
│   │     │ └── [email protected] deduped
│   │     ├── [email protected]
│   │     ├── [email protected] deduped
│   │     ├─┬ [email protected]
│   │     │ ├── [email protected] deduped
│   │     │ └── [email protected] deduped
│   │     └─┬ [email protected]
│   │       ├── [email protected] deduped
│   │       └── [email protected] deduped
│   └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
└── [email protected] (github:heapwolf/qs#38495eb5ff3da967a28f20d8ecb81518e4ae9c3c)

From this list the major dependencies I have to audit are leveldown, aws-sdk mkdirp & ini .

I've read the source code all of all those except aws-sdk & leveldown ;

For aws-sdk I am happy to delegate the source code correctness checking itself to Amazon but I still want to audit it's transitive dependencies.

For leveldown I am still reading the dependencies & implementation.

To simplify auditing aws-sdk i'd be happy to reduce the total number of dependencies, I just audited util.promisify itself in passing making the following PR and am happy with the implementation :)

#15

from util.promisify.

For more information about

I’m not sure why dependency count matters;

I recently tweeted about this issue https://twitter.com/Raynos/status/1207637549910507520

I was thinking of expanding my thoughts in a blog post about this topic.

from util.promisify.

Bundling doesn’t reduce auditing burden, it increases it. More deps is better imo.

from util.promisify.

In this case, every single one of those transitive deps is a package i maintain, ftr.

from util.promisify.

Bundling doesn’t reduce auditing burden, it increases it. More deps is better imo.

You would be correct if inlining was not trivial, it's <20 lines of code for 3 dependencies.

from util.promisify.

The line count isn’t the issue; being able to delegate trust and testing responsibility, at all parts of the process, is important. For example, it shouldn’t take much to be able to implicitly trust everything in the inspect-js org (which i maintain), and then you never need to audit those lines of code again.

from util.promisify.

@ljharb I trust you but that does not make you super man. I trust that your not going to add postinstall: rm -rf ~ but i should still read the source code.

For this particular use case I have upstream shares my point of view Leonidas-from-XIV/node-xml2js#546 so my need is resolved.

from util.promisify.

Fair enough.

from util.promisify.